Blog

Education body apologises after breach of data security

The Irish Examiner has learnt that the breach involved some personal data which is held in the CETB’s part-time staff online payments system database.

The breach resulted in at least one person having sight of the personal data relating to some current and some former CETB staff.

The compromised data included the names and addresses, email addresses and telephone numbers, the employee numbers and the PPS numbers of the 10 staff. No banking or financial data was compromised.

The affected staff have been informed of the breach, and the Office of the Data Protection Commissioner has also been notified, in accordance with data protection regulations.

The ETB said it became aware of the security breach on August 17 and moved immediately to deal with the issue.

The Irish Examiner has learnt that the breach involved some personal data which is held in the CETB’s part-time staff online payments system database.

The CETB said once it became aware of the issue, it consulted with the software development company to explore how and why it happened.

It said it appears that 10 system users were inadvertently granted “inappropriate levels of functionality” in September 2016.

It said the system’s logs show that only four of these users logged onto the system since then.

Of these four users, the CETB said it knows that at least one user had sight of some of the personal data of current and former CETB staff.

“In accordance with data protection regulations, the CETB has a policy of advising all staff of data breach incidences which might in any way affect them,” it said in a statement.

The CETB has apologised unreservedly to all current and former staff for the breach and it has moved to assure them that as soon as it became aware of the breach, all 10 affected user accounts were shut down and “appropriate access rights” were assigned to those accounts before they were reactivated.

The CETB chief executive, Ted Owens, told the Irish Examiner that the person authorised to make payments to staff in one centre noticed that he had access to details relating to staff in other centres.

“This breached Cork ETB authorisation standards as only the authorised staff in each centre should have access to the details of the staff in that centre,” he said.

“The matter has now been fully resolved, Cork ETB staff/former staff data is secure and no action is required by staff in this regard.”

News of the breach comes just days after AIB apologised for losing personal information relating to over 500 of its customers in the west of Ireland.

Printed material containing names, loan and deposit balances, as well as account turnover and annual fees which had been collated on a spreadsheet, was lost by a staff member on August 31 while travelling between two branches for an internal meeting which was organised to discuss a general review of branch portfolios.

Most of the material related to account holders around Co Galway.

The data did not contain contact information, or customer addresses and their bank accounts remain secure and protected.

The bank has apologised for the breach and has reported the matter to the Office of the Data Protection Commissioner.